b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nEarly Warning Report\n\n\n\n\n       EPA Should Prepare and\n       Distribute Security\n       Classification Guides\n       Report No. 11-P-0722\n\n       September 29, 2011\n\x0cReport Contributors:                               Christine Baughman\n                                                   Hilda Canes Gardu\xc3\xb1o\n                                                   Allison Dutton\n                                                   Christine El-Zoghbi\n                                                   Eric Lewis\n                                                   Russell Moore\n\n\n\n\nAbbreviations\n\nCFR           Code of Federal Regulations\nEO            Executive Order\nEPA           U.S. Environmental Protection Agency\nISOO          Information Security Oversight Office\nNHSRC         National Homeland Security Research Center\nNSI           National security information\nOARM          Office of Administration and Resources Management\nOCA           Original classification authority\nOIG           Office of Inspector General\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       703-347-8330                                       Mailcode 8431P (Room N-4330)\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                11-P-0722\n                                                                                                      September 29, 2011\n                        Office of Inspector General\n\n\n                        At a Glance\n                                                                              Catalyst for Improving the Environment\n\n\nWhy We Did This Review              EPA Should Prepare and Distribute\nThe Office of Inspector\n                                    Security Classification Guides\nGeneral (OIG) is responsible\nfor independently reviewing         What We Found\nU.S. Environmental Protection\nAgency (EPA) programs               EPA has not established any official classification guides even though EPA\nrelated to national security.       Administrators have taken original classification actions. Original classification\nWe evaluated the scope and          actions involve someone with original classification authority assigning a\nnature of EPA\xe2\x80\x99s classified          classification level to a particular document. According to the NSI program team\nnational security information       leader, classification guides have not been prepared because EPA Administrators\n(NSI) infrastructure, and its       have only classified a few documents. Executive Order 13526 states that agencies\nability to provide information      with original classification authority shall prepare classification guides to\nto those who need it.               facilitate the proper and uniform derivative classification of information. Further,\n                                    EPA\xe2\x80\x99s National Security Information Handbook requires that a classification\nBackground                          guide be developed for each system, plan, program, or project that involves\n                                    classified information. Without classification guides, EPA staff and other users of\nSome EPA staff members are          EPA\xe2\x80\x99s classified information may not be uniformly and consistently identifying\ncleared to access, use, and         information for classification, nor classifying information in a uniform and\ncreate classified NSI in the        consistent manner. Ultimately, information that should be identified for\nperformance of their assigned       safeguarding could be unintentionally released, resulting in harm to national\nduties. EPA must protect NSI        security. Therefore, the lack of classification guides is a material internal control\naccording to executive order        weakness in EPA\xe2\x80\x99s classified NSI program.\nand other national and EPA\nguidance. EPA policy requires       This report presents a significant finding identified during our ongoing review\nthat a classification guide shall   that requires immediate attention. We will issue a final report that will discuss\nbe developed for each system,       other results of our review of EPA\xe2\x80\x99s classified NSI infrastructure.\nplan, program, or project in\nwhich classified information is     What We Recommend\ninvolved. The Office of\nAdministration and Resources        We recommend that the Administrator ensure the preparation, review, and\nManagement manages EPA\xe2\x80\x99s            approval of appropriate security classification guides that conform to the\nNSI program.                        requirements of Executive Order 13526, Classified National Security Information,\n                                    and EPA\xe2\x80\x99s NSI handbook. We also recommend that the Administrator ensure the\nFor further information,            distribution of classification guides to users of EPA\xe2\x80\x99s originally classified\ncontact our Office of               information and to program offices that work in related subject areas. The Office\nCongressional and Public            of Administration and Resources Management, which responded on behalf of the\nAffairs at (202) 566-2391.\n                                    Agency, did not agree with the report\xe2\x80\x99s conclusions, and the recommendations are\nThe full report is at:              unresolved.\nwww.epa.gov/oig/reports/2011/\n20110929-11-P-0722.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                              THE INSPECTOR GENERAL\n\n\n\n                                       September 29, 2011\n\nMEMORANDUM\n\nSUBJECT:\t EPA Should Prepare and Distribute Security Classification Guides\n          Report No. 11-P-0722\n\n\nFROM:          Arthur A. Elkins, Jr.\n               Inspector General\n\nTO:\t           Lisa P. Jackson\n               Administrator\n\n\nThis early warning report is to inform you of a finding by the Office of Inspector General (OIG)\nof the U.S. Environmental Protection Agency (EPA) that requires your immediate attention. The\npurpose of this OIG review was to evaluate the scope and nature of EPA\xe2\x80\x99s national security\ninformation infrastructure, and its ability to disseminate classified information to those who need\nit. This report presents a significant OIG finding identified during our ongoing review. This\nreport represents the opinion of the OIG and does not necessarily represent the final EPA\nposition. Final determinations on matters in this report will be made by EPA managers in\naccordance with established audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. Your response will be posted on the OIG\xe2\x80\x99s public website,\nalong with our memorandum commenting on your response. Your response should be provided\nas an Adobe PDF file that complies with the accessibility requirements of Section 508 of the\nRehabilitation Act of 1973, as amended. The final response should not contain data that you do\nnot want to be released to the public; if your response contains such data, you should identify the\ndata for redaction or removal. We have no objections to the further release of this report to the\npublic. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Wade Najjum at\n(202) 566-0827 or najjum.wade@epa.gov, or Eric Lewis at (202) 566-2664 or\nlewis.eric@epa.gov.\n\x0cEPA Should Prepare and Distribute                                                                                             11-P-0722\nSecurity Classification Guides\n\n\n                                      Table of Contents \n\n   Purpose .......................................................................................................................    1\n\n\n   Background ................................................................................................................        1\n\n\n   Scope and Methodology.............................................................................................                 2\n\n\n   Results of Review .......................................................................................................          2\n\n\n           EPA Has Not Established Classification Guides ..................................................                           2\n\n           Reasons for Not Publishing Classification Guides Are Not Valid .........................                                   3\n\n           EPA Uses Other Guidance in Lieu of Classification Guides ................................                                  3\n\n           EPA Classification Guides Could Be Used by Others ..........................................                               4\n\n\n   Conclusions ................................................................................................................       4\n\n\n   Recommendations .....................................................................................................              4\n\n\n   Agency Comments and OIG Evaluation ...................................................................                             5\n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                            6\n\n\n\n\nAppendices\n   A       Agency Response to the Draft Report and OIG Evaluation ..........................                                          7\n\n\n   B       E-mail From the Information Security Oversight Office ................................                                    12\n\n\n   C       Distribution ........................................................................................................     14\n\n\x0cPurpose\n            The purpose of this review was to evaluate the scope and nature of the U.S.\n            Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) classified national security\n            information (NSI) infrastructure, and its ability to provide information to those\n            who need it.\n\nBackground\n            Executive Order (EO) 13526, Classified National Security Information,\n            establishes basic guidance for handling classified NSI in the federal government.\n            \xe2\x80\x9cClassified national security information\xe2\x80\x9d or \xe2\x80\x9cclassified information\xe2\x80\x9d is\n            information that has been determined, pursuant to EO 13526 or any predecessor\n            order, to require protection against unauthorized disclosure. It is marked to\n            indicate a classification level of \xe2\x80\x9cConfidential,\xe2\x80\x9d \xe2\x80\x9cSecret,\xe2\x80\x9d or \xe2\x80\x9cTop Secret.\xe2\x80\x9d EPA\n            creates, receives, handles, and stores classified material because of its homeland\n            security, emergency response, and continuity missions. Information is originally\n            classified at the \xe2\x80\x9cConfidential\xe2\x80\x9d or \xe2\x80\x9cSecret\xe2\x80\x9d level at EPA because its release could\n            damage or seriously damage national security.\n\n            A classification level is assigned by one of two methods:\n\n               1.\t Someone with original classification authority may assign a level to the\n                   document.\n               2.\t Someone without original classification authority, who is properly\n                   authorized and trained per EO 13526, may assign a level based on:\n                       a.\t Information already classified that was incorporated, paraphrased,\n                           or restated to create the new document, or\n                       b.\t A classification guide.\n\n            A classification guide is written guidance signed by someone with original\n            classification authority. The classification guide identifies the elements of\n            information regarding a specific subject that must be classified, and establishes\n            the level and duration of classification for each such element.\n\n            Classification by other than an original authority is called derivative\n            classification. EO 13526 states that agencies with original classification authority\n            shall prepare classification guides to facilitate the proper and uniform derivative\n            classification of information.\n\n            EPA\xe2\x80\x99s National Security Information Handbook requires that a classification\n            guide be developed for each system, plan, program, or project that involves\n            classified information. Subject-matter experts from a program office or facility\n            are responsible for preparing classification guides. The final draft of the guide\n            must be submitted to the NSI program team in the Security Management Division\n            to ensure compliance with the EO on classified NSI. The NSI program team then\n\n11-P-0722                                                                                       1\n\x0c            forwards the final draft to the Office of Homeland Security for review and\n            processing for approval by the original classification authority.\n\n            The Administrator has the sole authority to originally classify EPA information\n            up to and including \xe2\x80\x9cSecret.\xe2\x80\x9d This authority cannot be delegated to another\n            official. Past EPA Administrators had the authority to delegate original\n            classification authority but decided to review and approve all original\n            classification actions. However, EO 13526, signed on December 29, 2009, does\n            not permit the current Administrator to delegate original classification authority.\n            Currently, all classification guides at EPA must be approved by the\n            Administrator.\n\nScope and Methodology\n            We conducted this evaluation in accordance with generally accepted government\n            auditing standards. Those standards require that we plan and perform the review\n            to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n            findings and conclusions based on our objectives. We believe that the evidence\n            obtained provides a reasonable basis for our findings and conclusions based on\n            our evaluation objectives.\n\n            From December 2010 through August 2011, we interviewed staff from the Office\n            of Administration and Resources Management (OARM), Security Management\n            Division; the Office of Homeland Security; the Office of Research and\n            Development, National Homeland Security Research Center (NHSRC); and the\n            Office of Solid Waste and Emergency Response, Office of Emergency\n            Management. We reviewed national-level and EPA guidance relevant to classified\n            NSI, and analyzed other documents and reports related to EPA\xe2\x80\x99s management of\n            classified NSI. We have not reviewed any information marked as classified NSI.\n            Additional details on our scope and methodology will be included in a separate\n            final report that will discuss results of the full Office of Inspector General (OIG)\n            review of EPA\xe2\x80\x99s infrastructure for handling classified information.\n\nResults of Review\n\n            EPA Has Not Established Classification Guides\n\n            EPA has not established any official classification guides even though EPA\n            Administrators have taken original classification actions. According to the acting\n            deputy director of the Security Management Division and the NSI program team\n            leader, classification guides have not been prepared because EPA Administrators\n            have only classified a few documents. EO 13526 states that agencies with original\n            classification authority shall prepare classification guides to facilitate the proper\n            and uniform derivative classification of information., EPA\xe2\x80\x99s NSI handbook\n            requires that a classification guide be developed for each system, plan, program,\n            or project that involves classified information. Without classification guides, EPA\n\n11-P-0722                                                                                     2\n\x0c            staff and other users of EPA\xe2\x80\x99s classified information may not be uniformly and\n            consistently identifying information for classification, nor classifying information\n            in a uniform and consistent manner. Ultimately, information that should be\n            identified for safeguarding could be unintentionally released, resulting in harm to\n            national security. Therefore, the lack of classification guides is a material internal\n            control weakness in EPA\xe2\x80\x99s classified NSI program.\n\n            Reasons for Not Publishing Classification Guides Are Not Valid\n\n            According to the acting deputy director of the Security Management Division and\n            the NSI program team leader, EPA has not prepared any classification guides for\n            information for which the Administrators have used original classification\n            authority because the authority has been used infrequently. Two documents were\n            classified in 2004, and four documents were classified in 2008. According to the\n            senior intelligence advisor in the Office of Homeland Security, the Administrator\n            recently exercised original classification authority for a seventh document.\n            Classification guides are required to ensure the proper and uniform derivative\n            classification of information. The infrequent use of original classification\n            authority at EPA does not relieve the Agency of the requirement to prepare\n            classification guides.\n\n            According to the NHSRC security manager, about 8 years ago EPA discussed the\n            need for classification guides. At the time, the Security Management Division\n            argued that classification guides would not be required since the incumbent\n            Administrator wanted to review all original classification actions and would not\n            be delegating original classification authority. However, classification guides are\n            necessary so that individuals without original classification authority are capable\n            of identifying and ensuring proper safeguarding of information that could damage\n            national security.\n\n            In 2006, EPA published the National Security Information Handbook, Revision 1,\n            which required that a classification guide be developed for each system, plan,\n            program, or project that involved classified information. Administrators have used\n            original classification authority to classify five documents since the current NSI\n            handbook was published. By not preparing and distributing official classification\n            guides, EPA is not following the guidance in its NSI handbook nor is it meeting\n            the requirements of EO 13526 and the predecessor order.\n\n            EPA Uses Other Guidance in Lieu of Classification Guides\n\n            The NHSRC security manager prepared a topics handbook that is similar to a\n            classification guide. The topics handbook contains elements that are required in a\n            classification guide, but does not include identifying the original classification\n            authority and including the date of issuance or last review. According to the\n            security manager, he uses the topics handbook as a screening tool to establish\n            standards and methods to exert objectivity and discipline in making original\n\n11-P-0722                                                                                      3\n\x0c            classification recommendations to the Administrator. The topics handbook\n            contains a caveat that it is not authorized as a classification guide.\n\n            EPA Classification Guides Could Be Used by Others\n\n            Classification guides issued by EPA could be used by others, including those\n            outside of EPA. The EPA documents originally classified by the Administrator\n            were subsequently distributed to other agencies. Title 32 Code of Federal\n            Regulations (CFR) \xc2\xa7 2001.15(c) specifies that classification guides shall be\n            disseminated as necessary to ensure the proper and uniform derivative\n            classification of information. Because it does not prepare classification guides,\n            EPA does not currently provide this guidance to other agencies that may use its\n            originally classified information. EPA should distribute classification guides to\n            other agencies that use its originally classified information to ensure uniform\n            derivative classification of information.\n\n            The NHSRC security manager expressed concern that classification guides were\n            not prepared and distributed to other offices within EPA. Some of these offices\n            work in subject areas that include sensitive information that may have previously\n            been designated as classified NSI by the Administrator. Without classification\n            guides that show the types of information that should be classified, these offices\n            may unintentionally release classified information through unclassified means.\n            Depending on the information released, national security could be seriously\n            damaged.\n\nConclusions\n            EPA has not implemented a key internal control to protect information that could\n            damage the national security of the United States. Without classification guides,\n            EPA has no assurance that classified NSI is properly identified or safeguarded at\n            the Agency.\n\nRecommendations\n            We recommend that the Administrator:\n\n               1.\t Ensure the preparation, review, and approval of appropriate security\n                   classification guides that conform to the requirements of EO 13526,\n                   Classified National Security Information, and EPA\xe2\x80\x99s National Security\n                   Information Handbook.\n\n               2.\t Ensure the distribution of classification guides to users of EPA\xe2\x80\x99s originally\n                   classified information and to program offices that work in related subject\n                   areas.\n\n\n\n11-P-0722                                                                                       4\n\x0cAgency Comments and OIG Evaluation\n            OARM, responding on behalf of the Agency, disagreed with the report\xe2\x80\x99s factual\n            findings, interpretation of governing legal authorities, characterization of the\n            program, conclusions, and recommendations.\n\n            OARM does not believe that EPA needs to create a classification guide. To\n            support its position, OARM offered an e-mail dated June 1, 2011, from the acting\n            director, Information Security Oversight Office (ISOO), National Archives and\n            Records Administration. ISOO is responsible for oversight of the government-\n            wide security classification system and issued the federal regulation (32 CFR Part\n            2001) that implements EO 13526. Based on a 2005 on-site review of EPA\xe2\x80\x99s\n            program and its regular monitoring of EPA activities, the acting director said he\n            did not believe that EPA needed to create a classification guide since EPA has\n            used its original classification authority only six times. He noted that in 2005,\n            ISOO commended EPA for its decisionmaking process.\n\n            The OIG disagrees. Classification guides are to facilitate derivative classification.\n            It is specifically stated in EO 13526 that agencies with original classification\n            authority shall prepare classification guides to facilitate the proper and uniform\n            derivative classification of information. EPA internal guidance specifically\n            requires security classification guides to be developed for each system, plan,\n            program, or project in which classified information is involved. EPA\xe2\x80\x99s guidance\n            notes that classification guides also serve as declassification guides. EPA\xe2\x80\x99s\n            guidance also requires that the guides be revised whenever necessary to promote\n            effective derivative classification. EPA has not complied with its own internal\n            policies. In our opinion, this noncompliance is a material internal control\n            weakness.\n\n            OARM offered to have the NSI team (1) continue to work closely with ISOO, and\n            (2) explore options for how best to enhance the classification process at EPA. The\n            proposed alternative is unacceptable because it does not address the intent of the\n            recommendations.\n\n            The issues and recommendations for corrective action are unresolved and the\n            material weakness is unaddressed. The Agency\xe2\x80\x99s complete written response to the\n            draft report, and our evaluation of the response, are in appendix A. The e-mail\n            from ISOO\xe2\x80\x99s acting director is in appendix B.\n\n\n\n\n11-P-0722                                                                                      5\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                       POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                    BENEFITS (in $000s)\n\n                                                                                                           Planned\n    Rec.    Page                                                                                          Completion   Claimed    Agreed-To\n    No.      No.                          Subject                           Status1    Action Official       Date      Amount      Amount\n\n     1        4     Ensure the preparation, review, and approval of           U       The Administrator\n                    appropriate security classification guides that\n                    conform to the requirements of EO 13526,\n                    Classified National Security Information, and EPA\xe2\x80\x99s\n                    National Security Information Handbook.\n\n     2        4     Ensure distribution of classification guides to users     U       The Administrator\n                    of EPA\xe2\x80\x99s originally classified information and to\n                    program offices that work in related subject areas.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n11-P-0722                                                                                                                                6\n\x0c                                                                                    Appendix A\n\n            Agency Response to the Draft Report and \n\n                       OIG Evaluation\n\n\n                                          June 10, 2011\n\nMEMORANDUM\n\nSUBJECT:\t Response to Early Warning Report OPE-FY10-0024\n\nFROM:\t         Craig E. Hooks, Assistant Administrator\n               Office of Administration and Resources Management\n\nTO:\t           Arthur A. Elkins, Jr.\n               Inspector General\n\nThank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Early\nWarning Report: EPA Should Prepare and Distribute Security Classification Guides, dated May\n11, 2011.\n\nThe Office of Administration and Resources Management (OARM) believes that the Report is\nnot warranted. We respectfully disagree with the Report\xe2\x80\x99s factual findings, interpretation of\ngoverning legal authorities, characterization of EPA\xe2\x80\x99s National Security Information (NSI)\nprogram, conclusions, and recommendations. Our reasons are presented below, beginning with\nthe results of our consultation on the Report with the Acting Director of the Information Security\nOversight Office, National Archives and Records Administration.\n\nFindings of the Information Security Oversight Office (ISOO)\nThe Security Management Division (SMD) consulted with ISOO about the Report and whether\nEPA should prepare classification guides. ISOO is responsible to the President for policy and\noversight of the government-wide security classification system and the National Industrial\nSecurity Program. ISOO receives authority from Executive Order (EO) 13526, Classified\nNational Security Information (the \xe2\x80\x9cOrder\xe2\x80\x9d), December 29, 2009. ISOO is the federal executive\nagent for implementation of EO 13526.\n\nIn a June 1, 2011, email to EPA\xe2\x80\x99s NSI Team (attached), Acting Director William Cira stated the\nfollowing (emphasis added):\n\n       ISOO does not believe that EPA needs to create a classification guide. ISOO does not\n       believe that EPA is in violation of section 2.2 of the Order...EPA has strong processes\n       in place to ensure that classification decisions are appropriate and in accordance\n       with the Order...The purpose of Section 2.2 of the Order is to ensure that those agencies\n       that have several [Original Classification Authorities (OCAs)] and make many\n\n11-P-0722                                                                                      7\n\x0c       classification decisions are doing so in an effective and efficient manner that aids the\n       classification system by ensuring uniformity and consistency. EPA only has one OCA;\n       unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost\n       all other agencies, it has a very minute amount of classification activity...While the exact\n       letter of the Order seems to suggest that all agencies granted OCA authority by the\n       president must have classification guides, there is still room for judgement and common\n       sense. In our view, looking at the program and its activity in its entirety, EPA\xe2\x80\x99s program\n       is fully functioning and has the appropriate checks and balances in place to ensure that its\n       classification program is consistent and effective.\n\n OIG Response: EO 13526 states that agencies with original classification authority shall\n prepare classification guides. EPA internal guidance also requires the issuance of classification\n guides. As stated under EO 13526, Section 2.2(a):\n\n        Agencies with original classification authority shall prepare classification guides\n        to facilitate the proper and uniform derivative classification of information.\n\n EPA\xe2\x80\x99s NSI handbook states, in Section 2-208:\n\n        A security classification guide shall be developed for each system, plan,\n        program, or project in which classified information is involved.\n\n EPA has exercised both original and derivative classification actions, but has not issued the\n required classification guide, in contravention of the EO and its own guidance.\n\n With regard to ISOO, EO 13526 explicitly directs ISOO to take (1) the necessary steps to\n implement the order, (2) establish standards for classification and for classification guides, and\n (3) oversee agency actions to ensure compliance with the order. Federal government employees\n are charged with abiding by EO 13526. An e-mail from ISOO\xe2\x80\x99s acting director, after\n noncompliance has been disclosed, neither excuses EPA from its responsibility to create\n classification guides nor releases EPA from its responsibility to comply with EO 13526. As\n stated under EO 13526, Section 5.5(b):\n\n        Officers and employees of the United States Government, and its contractors,\n        licensees, certificate holders, and grantees shall be subject to appropriate\n        sanctions if they knowingly, willfully, or negligently . . . contravene any other\n        provision of this order or its implementing directives.\n\n\nDisagreement with the Report\xe2\x80\x99s Factual Findings\nFirst, the Report states: \xe2\x80\x9cEPA has not established any official classification guides even though\nEPA Administrators have taken original classification actions\xe2\x80\x9d (p. 2). While ISOO verifies that\nEPA does not currently need a classification guide (June 1, 2011, email), the NSI program took\nforward-looking steps, beginning in June 2010, to create a classification guide in anticipation of\npossible future needs. The Agency has in fact considered, although not approved and finalized,\nseveral draft classification guides.\n\n11-P-0722                                                                                        8\n\x0cSecond, the Report states: \xe2\x80\x9cThe infrequent use of original classification authority at EPA does\nnot relieve the Agency of the requirement to prepare classification guides\xe2\x80\x9d (p. 3). ISOO\xe2\x80\x99s June\n1, 2011, email makes the infrequent use of original classification authority a primary\nreason why EPA does not currently need a classification guide. In supporting his finding,\nActing Director Cira states: \xe2\x80\x9cEPA\xe2\x80\x99s situation is unique in that the OCA may not be delegated and\nit rarely needs to exercise this OCA authority.\xe2\x80\x9d The Report\xe2\x80\x99s second finding is therefore in\nconflict with the assessment of the federal executive agent responsible for implementation of EO\n13526.\n\nOIG Response: As noted above, the EO specifically states that classification guides shall be\nprepared and specifically requires appropriate sanctions if any provision of the EO is\ncontravened. As stated in our draft report, our review found that \xe2\x80\x9cEPA has not established any\nofficial classification guides even though EPA Administrators have taken original classification\nactions.\xe2\x80\x9d OARM acknowledges in the response to our draft report that EPA does not have an\nofficial (approved and finalized) classification guide. The existence, much less the mere\nconsideration, of several unapproved drafts does not change the fact that EPA does not have\nany official classification guide.\n\nOARM argues that \xe2\x80\x9cthe infrequent use of original classification authority [is] a primary reason\nwhy EPA does not currently need a classification guide.\xe2\x80\x9d The EO does not support this\nposition. The EO prescribes a uniform system for classifying, safeguarding, and declassifying\nnational security information, including information relating to defense against transnational\nterrorism. Neither EO 13526 nor 32 CFR Part 2001 make a distinction between agencies that\nmake frequent or infrequent use of original classification authority, or between agencies that\nhave several original classification authorities and those that have only one original\nclassification authority.\n\n\nDisagreement with the Report\xe2\x80\x99s Interpretation of Governing Legal Authorities\nThe Report states: \xe2\x80\x9cEO 13526 requires agencies with original classification authority to prepare\nclassification guides to facilitate the proper and uniform derivative classification of information\xe2\x80\x9d\n(p. 2), and also: \xe2\x80\x9cEPA is not meeting the requirements of EO 13526...\xe2\x80\x9d (p. 3). This conclusion\nerroneously interprets the governing legal authorities here, by interpreting EO 13526 without\nreference to the regulatory directives of 32 C.F.R. Parts 2001 and 2003.\n\nEO 13526 repeatedly directs that in handling classified information, including the use of\nclassification guides, federal executive agencies, such as EPA must \xe2\x80\x9cconform to standards\xe2\x80\x9d\ncontained in legally binding directives \xe2\x80\x9cissued by\xe2\x80\x9d the Director of ISOO under the Order. EO\n13526, Sec. 2.2, 4.2, 5.1 (2010). In fact, the Director of ISOO was charged with issuing\n\xe2\x80\x9cbinding\xe2\x80\x9d directives to implement EO 13526\xe2\x80\x99s standards on classification guides. Id. at 5.1(5).\nThe Director of ISOO did so through promulgating 32 C.F.R. Parts 2001 and 2003 in 2010. 32\nC.F.R. 2001.1(b) (\xe2\x80\x9c...these directives are binding on agencies\xe2\x80\x9d).\n\nNothing in Parts 2001 and 2003 mandates issuance of classification guides. In fact, the opposite\nis true. 32 C.F.R. \xc2\xa7 2001.15(c) explicitly states that classification guides \xe2\x80\x9cshall be disseminated\n\n11-P-0722                                                                                         9\n\x0cas necessary to ensure the proper and uniform derivative classification of information.\xe2\x80\x9d 32\nC.F.R. \xc2\xa7 2001.16 contains a directive for classification guidance review that presumes some\nagencies with original classification authority may not have authored classification guides.\n\nOIG Response: There is no misinterpretation. EO 13526 specifically states that agencies with\noriginal classification authority shall prepare classification guides to facilitate the proper and\nuniform derivative classification of information. The CFR sections, quoted (out of context) by\nOARM, specifically tell users of the ISOO directive that they are to refer to the EO\nconcurrently for guidance. As stated in the Federal Register that implemented the regulations,\nSupplementary Information:\n\n       This final rule is issued pursuant to the provisions of 5.1(a) and (b) of\n       Executive Order 13526 . . . and amends 32 CFR part 2001 . . . The purpose\n       of this Directive is to assist in implementing the Order; users of the\n       Directive shall refer concurrently to that Order for guidance.\n\nTitle 32 CFR \xc2\xa7 2001.15 grants certain latitude in the dissemination of classification guides.\nOARM\xe2\x80\x99s reasoning misses the point that, for there to be latitude in the dissemination of a\nclassification guide, the Agency must first have prepared a classification guide. We also note\nthat OARM\xe2\x80\x99s response did not address EPA\xe2\x80\x99s failure to comply with its own guidance, the\n2006 National Security Information Handbook, Revision 1. EPA\xe2\x80\x99s guidance states in\nSection 2-208:\n\n       A security classification guide shall be developed for each system, plan,\n       program, or project in which classified information is involved . . .\n       Security classification guides will be approved in writing by the OCA\n       authorized to classify the information. Copies of the guides will be\n       distributed by the originating organization to those organizations and\n       activities believed to be derivatively classifying information covered by\n       the guide or have a valid need-to-know.\n\nContrary to OARM\xe2\x80\x99s position, we believe that the preparation of classification guides is\nrequired by EPA\xe2\x80\x99s NSI handbook.\n\n\nDisagreement with the Report\xe2\x80\x99s Characterization of the NSI Program\nThe Report states: \xe2\x80\x9c...the lack of classification guides is a material internal control weakness in\nEPA\xe2\x80\x99s classified NSI program\xe2\x80\x9d (p. 3) and also: \xe2\x80\x9cWithout classification guides, EPA has no\nassurance that classified NSI is properly identified or safeguarded at the Agency\xe2\x80\x9d (p. 4). Yet\nISOO Acting Director Cira states in his June 1, 2011, email (emphasis added):\n\n       EPA has developed a meticulous and rigorous process for deciding to originally\n       classify records...ISOO has met yearly with EPA officials to discuss its classified\n       national security program. Additionally, ISOO is in regular communication with EPA\n       security staff to discuss EPA\xe2\x80\x99s classified security program. Finally ISOO regularly\n       monitors EPA\xe2\x80\x99s classified national security program...EPA has strong processes in\n\n11-P-0722                                                                                            10\n\x0c       place to ensure that classification decisions are appropriate and in accordance with\n       the Order.\n\nDisagreement with the Report\xe2\x80\x99s Conclusion and Recommendations\nBecause the Report relies on incorrect factual and legal bases and is contrary to the assessment of\nISOO, the federal executive agent responsible for EO 13526 and its implementing regulations,\nOARM does not agree with the Report\xe2\x80\x99s conclusions and recommendations. The Report\xe2\x80\x99s\nconclusion that EPA has not implemented a key internal control to protect information that could\n\xe2\x80\x9cdamage the national security of the United States\xe2\x80\x9d is unfounded.\n\nThe Report\xe2\x80\x99s unqualified recommendations that the Administrator must immediately \xe2\x80\x9censure the\npreparation, review, and approval of appropriate security classification guides\xe2\x80\x9d and \xe2\x80\x9censure the\ndistribution of classification guides\xe2\x80\x9d are also unfounded.\n\nOIG Response: In our opinion, EPA\xe2\x80\x99s long-term noncompliance with the EO and its own NSI\nhandbook constitutes a material internal control weakness. The OIG believes that the lack of\nclassification guides is itself a material internal control weakness. EPA Order 1000.24\nChange 2, dated July 18, 2008, defines an internal control weakness in Section 11 as:\n\n       A deficiency or flaw in the design or operation of a control that does not\n       allow management or employees, in their normal course of performing\n       their assigned function, to prevent or detect vulnerabilities in a timely\n       manner.\n\nIn this case, the vulnerability is the potential release of information that might harm national\nsecurity. Further, contravening the EO meets the criteria in Section 8D of EPA Order 1000.24\nfor determining whether a weakness is material in nature:\n\n       Program managers should use the following criteria to determine whether\n       a weakness is material in nature: . . .\n          3. Violates statutory, judicial, or regulatory requirements . . .\n\n\nAlternative Actions/Next Steps\nThe NSI Team will continue to work closely with ISOO to advance EPA\xe2\x80\x99s program in\nanticipation of possible future needs. The Team will collaborate with the Office of Homeland\nSecurity and the program offices to explore options for how best to enhance the classification\nprocess at EPA.\n\n\n\n\n11-P-0722                                                                                          11\n\x0c                                                                                   Appendix B\n\n      E-mail From the Information Security Oversight Office\n\nThe following e-mail was submitted by ISOO to EPA on June 1, 2011.\n\nSubject: EPA Classification Policy\n\nEPA has asked ISOO if it needs to create a classification guide in accordance with Section 2.2 of\nExecutive Order 13526 (\xe2\x80\x9cthe Order\xe2\x80\x9d).\n\nFinding: ISOO does not believe that EPA needs to create a classification guide. ISOO does not\nbelieve that EPA is in violation of section 2.2 of the Order. ISOO continues to believe that EPA\nhas strong and sufficient controls in place with regard to its original classification program.\n\nBackground and supporting observations:\n1. In the past seven fiscal years, EPA has originally classified a total of six documents. See FY\nlist at the bottom of this e-mail message.\n2. EPA is one of the few agencies granted Original Classification Authority by the President.\nUnder the Order, only the Administrator serves as the OCA and she may not delegate this\nauthority. EPA\xe2\x80\x99s situation is unique in that the OCA may not be delegated and it rarely needs to\nexercise this OCA authority.\n3. EPA has developed a meticulous and rigorous process for deciding to originally classify\nrecords. ISOO conducted a detailed on-site review in September 2005 that among other items,\ncommended EPA for its decision-making process. At that time, ISOO found that EPA\xe2\x80\x99s detailed\nprocess ensured that each possible classification decision was well-thought out, rationale, and\ninformed. Further, ISOO found that this process involved all appropriate staff and offices,\nincluding the Office of the Administrator.\n4. Since this detailed on-site audit, ISOO has met yearly with EPA officials to discuss its\nclassified national security program. Additionally, ISOO is in regular communications with EPA\nsecurity staff to discuss EPA\xe2\x80\x99s classified national security program. Finally, ISOO regularly\nmonitors EPA\xe2\x80\x99s classified national security program and evaluates EPA\xe2\x80\x99s reports and responses\nto ISOO data calls and requests.\n5. EPA has strong processes in place to ensure that classification decisions are appropriate and\nin accordance with the Order.\n6. The purpose of Section 2.2 of the Order is to ensure that those agencies that have several\nOCAs and make many classification decisions are doing so in an effective and efficient manner\nthat aids the classification system by ensure uniformity and consistency. EPA only has one\nOCA; unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost\nall other agencies, it has a very minute amount of classification activity.\n\n\nConcluding remarks: While the exact letter of the Order seems to suggest that all agencies\ngranted OCA authority by the President must have classification guides, there is still room for\njudgement and common sense. In our view, looking at the program and its activity in its entirety,\n\n11-P-0722                                                                                     12\n\x0cEPA\xe2\x80\x99s program is fully functioning and has the appropriate checks and balances in place to\nensure that its classification program is consistent and effective.\n\n2010-\nOriginal-0\nDerivative-16\n\n2009-\nOriginal-0\nDerivative-4\n\n2008-\nOriginal-3\nDerivative-10\n\n2007-\nOriginal-0\nDerivative-13\n\n2006-\nOriginal-0\nDerivative-46\n\n2005-\nO-2\nD-5\n\n2004-\nO-1\nD-0\n\n\n\n\n11-P-0722                                                                                    13\n\x0c                                                                                Appendix C\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Followup Coordinator, Office of Administration and Resources Management\n\n\n\n\n11-P-0722                                                                               14\n\x0c'